ilia/ansible
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
ansible/roles/base_os/README.md
ilia c7a300b922
Some checks failed
CI / lint-and-test (pull_request) Successful in 1m21s
Details
CI / ansible-validation (pull_request) Successful in 9m3s
Details
CI / secret-scanning (pull_request) Successful in 3m19s
Details
CI / dependency-scan (pull_request) Successful in 7m13s
Details
CI / sast-scan (pull_request) Successful in 6m38s
Details
CI / license-check (pull_request) Successful in 1m16s
Details
CI / vault-check (pull_request) Failing after 6m40s
Details
CI / playbook-test (pull_request) Successful in 9m28s
Details
CI / container-scan (pull_request) Successful in 7m59s
Details
CI / sonar-analysis (pull_request) Failing after 1m11s
Details
CI / workflow-summary (pull_request) Successful in 1m11s
Details
Add POTE app project support and improve IP conflict detection 
- Add roles/pote: Python/venv deployment role with PostgreSQL, cron jobs
- Add playbooks/app/: Proxmox app stack provisioning and configuration
- Add roles/app_setup: Generic app deployment role (Node.js/systemd)
- Add roles/base_os: Base OS hardening role
- Enhance roles/proxmox_vm: Split LXC/KVM tasks, improve error handling
- Add IP uniqueness validation: Preflight check for duplicate IPs within projects
- Add Proxmox-side IP conflict detection: Check existing LXC net0 configs
- Update inventories/production/group_vars/all/main.yml: Add pote project config
- Add vault.example.yml: Template for POTE secrets (git key, DB, SMTP)
- Update .gitignore: Exclude deploy keys, backup files, and other secrets
- Update documentation: README, role docs, execution flow guides

Security:
- All secrets stored in encrypted vault.yml (never committed in plaintext)
- Deploy keys excluded via .gitignore
- IP conflict guardrails prevent accidental duplicate IP assignments
2025-12-28 20:54:50 -05:00

710 B
Raw Blame History

base_os

Baseline OS configuration for app guests:

  • Installs required packages (git/curl/nodejs/npm/ufw/openssh-server/etc.)
  • Creates deployment user (default appuser) with passwordless sudo
  • Adds your authorized SSH key
  • Configures UFW to allow SSH + backend/frontend ports

Variables

See defaults/main.yml. Common inputs in the app stack:

  • appuser_name, appuser_groups, appuser_shell
  • appuser_ssh_public_key (usually {{ vault_ssh_public_key }})
  • components.backend, components.frontend (enable/disable firewall rules per component)
  • app_backend_port, app_frontend_port

This role is used by playbooks/app/configure_app.yml after provisioning.